Professional Documents
Culture Documents
COPYRIGHT & TRADEMARKS Copyright 2001 SofaWare, All Rights Reserved. No part of this document may be reproduced in any form or by any means without written permission from SofaWare. Information in this document is subject to change without notice and does not represent a commitment on part of SofaWare Technologies Ltd. SofaWare, SofaWare S-box, Safe@Home and Safe@Office are trademarks, service marks, or registered trademarks of SofaWare Technologies Ltd. Check Point, the Check Point logo, FireWall-1, FireWall-1 SecureServer, FireWall-1 SmallOffice, FloodGate-1, INSPECT, IQ Engine, Meta IP, MultiGate, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecureUpdate, SiteManager-1, SVN, UAM, User-to-Address Mapping, UserAuthority, Visual Policy Editor, VPN-1, VPN-1 Accelerator Card, VPN-1 Gateway, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice, and ConnectControl are trademarks, service marks, or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668 and 5,835,726 and may be protected by other U.S. Patents, foreign patents, or pending applications. SAFETY PRECAUTIONS Carefully read the Safety Instructions the Installation and Operating Procedures provided in this User's Guide before attempting to install or operate the SofaWare S-box. Failure to follow these instructions may result in damage to equipment and/or personal injuries. Before cleaning the S-box, unplug the power cord. Use only a soft cloth dampened with water for cleaning.
Any changes or modifications to this product not explicitly approved by the manufacturer could void any assurances of Safety or Performance and could result in violation of Part 15 of the FCC Rules. When installing the S-box, ensure that the vents are not blocked. Do not use the S-box outdoors. Do not expose the S-box to liquid or moisture. Do not expose the S-box to extreme high or low temperatures. Do not drop, throw, or bend the S-box since rough treatment could damage it. Do not use any accessories other than those approved by SofaWare. Failure to do so may result in loss of performance, damage to the product, fire, electric shock or injury, and will void the warranty. Do not disassemble or open the S-box. Failure to comply will void the warranty. Do not route the cables in a walkway or in a location that will crimp the cables. POWER ADAPTER The S-box should only be used with the power adapter provided. The power adapter should be plugged into a surge protected power source. In addition, be careful not to overload the wall outlets, extension cords, etc. used to power this unit. Connect the power adapter only to power sources as marked on the product. To reduce risk of damage to the electric cord, remove it from the outlet by holding the power adapter rather than the cord. SECURITY DISCLAIMER The S-box provides your home/office network with the highest level of security. However, no product can provide you with absolute protection against a determined effort to break into your system. We recommend using additional security measures to secure highly valuable or sensitive information.
Table of Contents
Table of Contents
Chapter 1 Introduction ...................................................................................................... 7 About Your SofaWare S-box.......................................................................... 7 SofaWare S-box Software .............................................................................. 7 SofaWare Safe@Home............................................................................... 8 SofaWare Safe@Home Pro ........................................................................ 8 SofaWare Safe@Office .............................................................................. 8 SofaWare Safe@Office Plus....................................................................... 8 About This Guide ........................................................................................... 9 SofaWare S-box Features and Compatibility ............................................... 10 Connectivity.............................................................................................. 10 Security..................................................................................................... 10 Management ............................................................................................. 10 Security Services ...................................................................................... 10 VPN .......................................................................................................... 11 Package Contents...................................................................................... 11 Network Requirements ............................................................................. 11 Getting to Know Your SofaWare S-box....................................................... 12 Rear Panel................................................................................................. 12 Front Panel................................................................................................ 13 Contacting Technical Support ...................................................................... 14 Chapter 2 Installing and Configuring the S-box............................................................ 15 Before You Install the S-box ........................................................................ 15 Windows 98/Millennium Operating Systems ........................................... 15 Windows 2000/XP Operating System ...................................................... 20 Installing TCP/IP Protocol........................................................................ 22 Mac OS ..................................................................................................... 24 Connecting Your S-box to the Network ....................................................... 25 Network Installation ..................................................................................... 26 Configuring Your S-box for Internet Connection......................................... 27 Setting Up Your Password........................................................................ 27 Using the Setup Wizard ............................................................................ 29 Using Advanced Setup ............................................................................. 35
Table of Contents
Table of Contents
Chapter 3 Getting Started ............................................................................................... 45 Logging on to the SofaWare Safe@ Portal .................................................. 45 Logging on with SofaWare Safe@Home or SofaWare Safe@Home Pro 45 Logging on with SofaWare Safe@Office................................................. 47 Accessing the SofaWare Safe@ Portal through HTTPS .............................. 48 Using the SofaWare Safe@ Portal ............................................................... 49 Navigation Bar ......................................................................................... 49 Main Frame .............................................................................................. 50 Status Bar ................................................................................................. 50 Logging off................................................................................................... 51 Chapter 4 Managing Your Network............................................................................... 53 Viewing Network Activity Information ....................................................... 53 Configuring Network Settings...................................................................... 54 Enabling/Disabling the DHCP Server ...................................................... 54 Changing IP Addresses ............................................................................ 55 Enabling/Disabling NAT.......................................................................... 57 Changing the Internet Connection Configuration......................................... 57 Using Quick Internet Connection/Disconnection......................................... 57 Configuring HTTPS ..................................................................................... 58 Static Routes................................................................................................. 59 Adding a Static Route............................................................................... 59 Viewing and Editing Static Routes........................................................... 61 Deleting a Static Route............................................................................. 62 Chapter 5 Viewing Reports ............................................................................................. 65 Viewing the Event Log................................................................................. 65 Viewing Connections ................................................................................... 67 Viewing Computers...................................................................................... 68 Chapter 6 Setting Your S-box Security Policy............................................................... 71 Setting the Firewall Security Level .............................................................. 71 Configuring Virtual Servers ......................................................................... 72 Creating Rules .............................................................................................. 74 Allow and Block Rules............................................................................. 74 Demilitarized Zone (DMZ) ...................................................................... 77
Table of Contents
Chapter 7 Using Subscription Services........................................................................... 79 Starting Your Subscription Services............................................................. 79 Viewing Services Information ...................................................................... 83 Canceling Subscription Services .................................................................. 83 Web Filtering................................................................................................ 84 Enabling/Disabling Web Filtering When Locally Managed..................... 84 Selecting Categories for Blocking ............................................................ 85 Temporary Disable for Web Filtering When Remotely Managed............ 85 Virus Scanning ............................................................................................. 87 Enabling/Disabling E-mail Anti Virus When Locally Managed .............. 87 Selecting Protocols for Scanning .............................................................. 88 Temporary Disable for E-mail Anti Virus When Remotely Managed ..... 89 Automatic and Manual Updates ................................................................... 91 Checking for Software Updates When Locally Managed......................... 91 Checking for Software Updates When Remotely Managed ..................... 92 Refreshing Your Service Center Connection................................................ 93 Configuring Your Account ........................................................................... 93 Chapter 8 Working With VPNs....................................................................................... 95 Adding and Editing VPN Sites using SofaWare Safe@Home Pro............... 96 Adding and Editing VPN Sites using SofaWare Safe@Office................... 102 Configuring a Remote Access VPN Site ................................................ 104 Configuring a Site to Site VPN Gateway................................................ 106 Completing Site Creation........................................................................ 108 Setting Up Your S-box as a VPN Server .................................................... 109 Deleting a VPN Site.................................................................................... 110 Enabling/Disabling a VPN Site .................................................................. 110 Installing a Certificate................................................................................. 111 Uninstalling a certificate......................................................................... 113 Logging on to a VPN Site........................................................................... 114 Logging on through the SofaWare Safe@ Portal ................................... 115 Logging on through the my.vpn page ..................................................... 117 Logging off a VPN Site .............................................................................. 118 Viewing VPN Tunnels................................................................................ 118
Table of Contents
Table of Contents
Chapter 9 Managing Users ............................................................................................ 121 Changing Your Password........................................................................... 121 Using SofaWare Safe@Home and SofaWare Safe@Home Pro ............ 121 Using SofaWare Safe@Office................................................................ 122 Adding Users.............................................................................................. 124 Viewing and Editing Users......................................................................... 124 Deleting Users ............................................................................................ 126 Setting Up Remote VPN Access for Users ................................................ 126 Chapter 10 Upgrading and Updating ............................................................................. 127 Upgrading Your Software Product............................................................. 127 Registering Your S-box.............................................................................. 131 Updating the Firmware Manually .............................................................. 132 Chapter 11 Troubleshooting............................................................................................ 135 Frequently Asked Questions ...................................................................... 135 Viewing Firmware Status........................................................................... 140 Resetting the S-box to factory defaults....................................................... 141 Rebooting the SofaWare S-box .................................................................. 142 Running Diagnostics .................................................................................. 143 Appendix Specifications ................................................................................................ 145 Technical Specifications............................................................................. 145 FCC ........................................................................................................ 145 CE Declaration of Conformity ............................................................... 145 Glossary Index .................................................................................................... 147 .................................................................................................... 155
Chapter 1
Introduction
About Your SofaWare S-box
The SofaWare S-box is an advanced Internet security appliance, enabling secure high-speed Internet access from the home or office. The S-box incorporates the Safe@ product family from SofaWare Technologies, an affiliate of Check Point Software Technologies, the worldwide leader in securing the Internet. The Safe@ firewall, based on Check Points market-leading FireWall-1 Stateful Inspection technology, inspects and filters all incoming and outgoing traffic, blocking all unauthorized traffic. Unlike PC-based firewalls, the S-box is a hardware appliance, hence making installation easier, and providing protection for your entire network - not just a single computer. The S-box also allows sharing your Internet connection among several PCs or other network devices, enabling advanced home/office networking. With the SofaWare S-box, home users can subscribe to valuable subscription security services, such as firewall security updates, parental control and others. Business users can use the S-box to securely connect to the corporate network.
Chapter 1: Introduction
SofaWare Safe@Home
Safe@Home protects your home network from hostile Internet activity. It is intended for home users and can be used by up to five computers.
SofaWare Safe@Office
SofaWare Safe@Office provides all the benefits of SofaWare Safe@Home Pro, along with expanded VPN functionality: it acts not only as a VPN client, but as a VPN server which is installed office-side to protect the companys VPN and make it available to telecommuting employees. SofaWare Safe@Office can also be configured as a VPN gateway, which allows permanent bi-directional connections between two gateways, such as two company offices. SofaWare Safe@Office is intended both for companies with extended enterprise networks and for their employees working from home. It can be used by up to ten computers.
Warning Warnings are denoted by indented text and preceded by the Warning icon.
Tasks that require SofaWare Safe@Home are marked with the Safe@Home icon.
Tasks that require SofaWare Safe@Home Pro are marked with the Safe@Home Pro icon.
Tasks that require SofaWare Safe@Office or SofaWare Safe@Office Plus are marked with the Safe@Office icon.
Chapter 1: Introduction
Connectivity
4-port 10/100 Mbit/s Ethernet switch Internet connection sharing (NAT - Network Address Translation) PPPoE/PPTP support DHCP server and client
Security
Advanced Stateful Inspection Firewall security. Protection from Denial of Service (DoS) attacks Anti-spoofing protection Intrusion logging Updateable and customizable security policy
Management
Local Web-based interface Remote management by Service Center or corporate Remote firmware updates Remote management via HTTPS Remote management by Service Center or corporate, using the SofaWare Security Management Platform (SMP)
Security Services1
Automatic Firewall security updates Content filtering E-mail anti-virus protection Centralized logging and intrusion detection VPN management
Depends on availability of service in your area SofaWare S-box Getting Started Guide
10
VPN
IPSEC VPN Remote Access Server (SofaWare Safe@Office only) IPSEC VPN Site-To-Site Gateway (SofaWare Safe@Office only) IPSEC VPN Remote Access Client (SofaWare Safe@Home Pro and SofaWare Safe@Office only) Certificates authentication support (SofaWare Safe@Office only)
Package Contents
SofaWare S-box Internet Security Appliance CAT5 Straight-through Ethernet Cable Power Adapter Quick Start Guide This Getting Started Guide
Network Requirements
A broadband Internet connection via cable or DSL modem with Ethernet interface (RJ-45) 10BaseT or 100BaseT Network Interface Card installed on each computer TCP/IP network protocol installed on each computer CAT5 STP (Category 5 Shielded Twisted Pair) Ethernet cable for each computer Internet Explorer 5.0 or higher, or Netscape Navigator 4.7 and higher
Note - For optimal results, it is highly recommended to use either Microsoft Internet Explorer 5.5 or higher, or Netscape Navigator 6.2 or higher.
Chapter 1: Introduction
11
The following lists the SofaWare S-boxs rear panel items. Label Description A power jack used for supplying power to the unit. PWR Connect the power adapter to this jack. RESET A button used for rebooting the S-box or resetting the S-box to its factory defaults. A sharp object is needed for pressing this button. Short press reboots the S-box Long press (7 seconds) resets the S-box to its factory defaults. This will result in loss of all security services and passwords and you will have to re-configure your S-box. DO NOT RESET THE UNIT WITHOUT CONSULTING YOUR S-BOX PROVIDER. WAN LAN 1-4 Wide Area Network: An Ethernet port (RJ-45) used for connecting your cable or xDSL modem. Local Area Network: Four Ethernet ports (RJ-45) used for connecting computers or other network devices.
12
Front Panel
The SofaWare S-box includes 11 status LEDs. You can monitor the S-boxs operation by viewing these LEDs during operation. Figure 2 shows the S-box status LEDs.
LED PWR/SEC
Description Off Flashing quickly (Green) Flashing slowly (Green) On (Green) Flashing (Red) On (Red) Power off System boot-up Establishing Internet connection Normal Operation Hacker attack blocked Error Link is down. 10Mbps link established for the corresponding port. 100Mbps link established for the corresponding port. Data is being transmitted/received
LINK/ACT Flashing
Chapter 1: Introduction
13
14
Chapter 2
15
3. In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card, installed on your computer.
16
1. In the Network window, click Add. The Select Network Component Type window appears.
2. Choose Protocol and click Add. The Select Network Protocol window appears.
3. In the Manufacturers list choose Microsoft, and in the Network Protocols list choose TCP/IP. 4. Click OK. If Windows asks for original Windows installation files, provide the installation CD and relevant path when required (e.g. D:\win98) 5. Restart your computer if prompted.
17
TCP/IP Settings
Note - If you are connecting your S-box to an existing LAN, consult your network manager for the correct configurations.
1. In the Network window, double-click the TCP/IP service for the Ethernet card, which has been installed on your computer (e.g. The TCP/IP Properties window opens. ).
2. Click the Gateway tab, and remove any installed gateways. 3. Click the DNS Configuration tab, and click the Disable DNS radio button.
18
4. Click the IP Address tab, and click the Obtain an IP address automatically radio button.
Note - Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically. If for some reason you need to assign a static IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings. (Note that 192.168.10 is the default value, and it may vary if you changed it in the My Network page.)
19
5. Click Yes when prompted for Do you want to restart your computer?. Your computer restarts, and the new settings to take effect. Your computer is now ready to access your S-box.
2. Double-click on Network and Dial-up Connections icon. The Network and Dial-up Connections window appears.
20
3. Right-click the
menu that opens. The Local Area Connection Properties window appears.
4. In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card, installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
21
2. Choose Protocol and click Add. The Select Network Protocol window appears.
3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
22
TCP/IP Settings
1. In the Local Area Connection Properties window double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens.
3. Click the Obtain DNS server address automatically radio button. 4. Click OK to save the new settings. Your computer is now ready to access your S-box.
23
Mac OS
Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears.
2. Click the Connect via drop-down list and select Ethernet. 3. Click the Configure drop-down list and select Using DHCP Server. 4. Close the window and save the setup.
24
PC
Hub
Internet
xDSL or Cable Modem SofaWare S-box
PC
Macintosh
Wireless Bridge
25
Network Installation
Network Installation
1. Verify that you have the correct cable type: ! For proper operation, the S-box requires STP CAT5 (Shielded Twisted Pair Category 5) Ethernet cables. Make sure that this specification is printed on your cables. 1. Connect the LAN cable: ! Connect one end of the Ethernet cable to one of the LAN ports at the back of the unit. ! Connect the other end to PCs, hubs or other network devices. 2. Connect the WAN cable: ! Connect one end of the Ethernet cable to the WAN port at the back of the unit. ! Connect the other end of the cable to a Cable Modem, xDSL modem or corporate network. 3. Connect the power adapter to the power socket, labeled PWR, at the back of the S-box. Plug in the AC power adapter to the wall electrical outlet.
Warning - The S-box AC adapter is compatible with either 100, 120 or 230 VAC input power. Please verify that the wall outlet voltage is compatible with the voltage specified on your power supply. Failure to observe this warning may result in injuries or damage to equipment.
26
2. Type a password both in the Password and the Confirm Password text boxes.
27
Note You can change your password at any time. For further information, see Changing Your Password , page 123.
3. Click OK. The SofaWare Setup Wizard opens, with the Welcome screen displayed.
4. Configure your S-boxs Internet connection by doing one of the following: ! To manually configure the connection settings, click Cancel to abort the Setup Wizard, and use Advanced Setup. For further information, see Using Advanced Setup, page 35. ! To have the Setup Wizard take you through the configuration process step by step, see Using the Setup Wizard, below.
28
2. Select the Internet Connection method you wish to use for connecting to the Internet.
Note If you selected DSL Modem, do not use your dial-up software to connect to the Internet.
3. Click Next.
29
Local Area Network (LAN) Settings No further settings are required for LAN connection. The Confirmation screen appears.
4. Click Next. The system attempts to connect to the Internet via the selected connection. The Connecting screen appears.
At the end of the connection process the Connected screen appears. Once connected, the wizard will prompt you to register your details (see To register your S-box now, page 132), install the product key (see To install a Product Key, page 129) and set up your subscription options (see Starting Your Subscription Services, page 79), which may vary from product to product. 5. Follow the instructions until the wizard is done, and then click Finish.
30
Cable Connection Settings If the Cable connection method is selected, the Host Name screen appears.
4. If your ISP requires a specific hostname for authentication, enter it in the Host Name text box. The ISP will supply you with the proper hostname, if required. Most ISPs do not require a specific hostname. 5. If your ISP requires the MAC address, do either of the following: ! If you know the MAC address of your computer, enter it in the MAC cloning text box OR ! Click This Computer to automatically "clone" the MAC of your computer to the S-box. A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, they will instruct you to enter the MAC address. Otherwise, you may leave this field blank. 6. Click Next. The Confirmation screen appears. 7. Click Next. The system attempts to connect to the Internet. At the end of the connection process the Connected screen appears. Chapter 2: Installing and Configuring the S-box 31
Once connected, the wizard will prompt you to register your details (see To register your S-box now, page 132), install the product key (see To install a Product Key, page 129), and set up your subscription options (see Starting Your Subscription Services, page 79), which may vary from product to product. 8. Follow the instructions until the wizard is done, and then click Finish.
DSL Connection Settings If DSL connection method is selected the following screen appears.
5. Click Next.
32
Using PPPoE If PPPoE connection method is selected the following screen appears.
6. In the User text box, type the user name you use to access the Internet. 7. In the Password and Confirm Password text boxes, type the password you use to access the Internet. 8. In the Service text box, type your service name if required by your ISP, otherwise leave this text box empty. 9. Click Next. The system attempts to connect to the Internet via the DSL connection. At the end of the connection process the Connected screen appears. Once connected, the wizard will prompt you to register your details (see To register your S-box now, page 132), install the product key (see To install a Product Key, page 129) and set up your subscription options (see Starting Your Subscription Services, page 79), which may vary from product to product. 10. Follow the instructions until the wizard is done, and then click Finish.
33
Using PPTP If PPTP connection method is selected the following screen appears.
6. In the User text box, type your user name. 7. In the Password and Confirm Password text boxes, type your password. 8. In the Service text box, type your service name. 9. In the Server IP text box, type the IP address of the DSL modem. 10. In the Client IP text box, type the IP address required for accessing the DSL modem. 11. In the Subnet Mask text box, type the Subnet Mask of the DSL modem. 12. Click Next. The system attempts to connect to the Internet via the DSL connection. At the end of the connection process the Connected screen appears. Once connected, the wizard will prompt you to register your details (see To register your S-box now, page 132), install the product key (see To install a Product Key, page 129) and set up your subscription options (see Starting Your Subscription Services, page 79), which may vary from product to product. 13. Follow the instructions until the wizard is done, and then click Finish.
34
Using Automatic DHCP If Automatic DHCP connection method is selected, no further settings are required. The Confirmation screen appears. 6. Click Next. The system attempts to connect to the Internet via the selected connection. The Connecting screen appears. At the end of the connection process the Connected screen appears. Once connected, the wizard will prompt you to register your details (see To register your S-box now, page 132), install the product key (see To install a Product Key, page 129) and set up your subscription options (see Starting Your Subscription Services, page 79), which may vary from product to product. 7. Follow the instructions until the wizard is done, and then click Finish.
2. In the Navigation Bar, click on Setup. The Internet page appears. Chapter 2: Installing and Configuring the S-box 35
4. From the Connection Type drop-down list, select the Internet connection you are using/intend to use. The display changes according to the connection type you selected. The following steps should be performed in accordance with the connection type you have chosen. 36 SofaWare S-box Getting Started Guide
LAN Connection 5. If your ISP requires a specific hostname for authentication, enter it in the Host Name text box. The ISP will supply you with the proper hostname, if required. Most ISPs do not require a specific hostname. 6. If your ISP requires the MAC address, do either of the following: ! If you know the MAC address of your computer, enter it in the MAC cloning text box OR ! Click This Computer to automatically "clone" the MAC of your computer to the S-box. A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, they will instruct you to enter the MAC address. Otherwise, you may leave this field blank. 7. If you do not want the S-box to obtain an IP address automatically using DHCP, do the following: a. Clear the Obtain IP address automatically (using DHCP) check box.
b. In the IP Address text box, type the static IP address of your S-box. c. From the Subnet Mask drop-down list, select the Subnet mask that applies to the IP address you have entered in the previous step. d. In the Default Gateway text box, type your the IP address of the default gateway of your ISP.
37
e. In the Preferred DNS Server text box, type the Primary DNS server IP address. f. In the Alternate DNS Server text box, type the Secondary DNS server IP address. 8. If you want the S-box to obtain an IP address automatically using DHCP, but not to automatically configure DNS servers, do the following: a. Clear the Obtain DNS Servers automatically check box.
b. In the Preferred DNS Server text box, type the Primary DNS server IP address. c. In the Alternate DNS Server text box, type the Secondary DNS server IP address. 9. Click Apply.
38
Cable Connection
10. If your ISP requires a specific hostname for authentication, enter it in the Host Name text box. The ISP will supply you with the proper hostname, if required. Most ISPs do not require a specific hostname. 11. If your ISP requires the MAC address, do either of the following: ! If you know the MAC address of your computer, enter it in the MAC cloning text box OR ! Click This Computer to automatically "clone" the MAC of your computer to the S-box. A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, they will instruct you to enter the MAC address. Otherwise, you may leave this field blank. 12. If you are not using automatic configuration of DNS servers, do the following: a. Clear the Obtain DNS servers automatically check box.
39
b. In the Preferred DNS Server text box, type the Primary DNS server IP address. c. In the Alternate DNS Server text box, type the Secondary DNS server IP address. 13. Click Apply. xDSL PPPoE Connection
5. In the Username text box, type your user name. 6. Type your password both in the Password and in the Confirm Password text boxes. 7. In the Service text box, type the service name as given by your ISP.
40
Note - If your ISP has not provided you with a service name, leave this text box empty.
8. The MTU text box allows you to control the maximum transmission unit size. As a general recommendation you should leave this field empty. If however you wish to modify the default MTU, it is recommended that you consult with your ISP first and use MTU values between 1300 and 1500. 9. If your ISP requires the MAC address, do either of the following: ! If you know the MAC address of your computer, enter it in the MAC cloning text box OR ! Click This Computer to automatically "clone" the MAC of your computer to the S-box. A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, they will instruct you to enter the MAC address. Otherwise, you may leave this field blank. 10. If you are not using automatic configuration of DNS servers, do the following: a. Clear the Obtain DNS servers automatically check box.
b. In the Preferred DNS Server text box, type the Primary DNS server IP address.
41
c. In the Alternate DNS Server text box, type the Secondary DNS server IP address. 11. Click Apply. xDSL PPTP Connection
5. In the Username text box, type your user name. 6. Type your password both in the Password and in the Confirm Password text boxes. 7. In the Service text box, type the service name as given by your ISP. 8. In the Server IP text box, type the IP address of the PPTP server as given by your ISP. 9. In the Client IP text box, type the IP address of the PPTP client as given by your ISP. 10. From the Subnet Mask drop-down list, select the PPTP client subnet as given by your ISP. 11. The MTU text box allows you to control the maximum transmission unit size. As a general recommendation you should leave this field empty. If however you wish to modify the default MTU, it is recommended that you consult with your ISP first and use MTU values between 1300 and 1500. 12. If your ISP requires the MAC address, do either of the following: ! If you know the MAC address of your computer, enter it in the MAC cloning text box OR 42 SofaWare S-box Getting Started Guide
Click This Computer to automatically "clone" the MAC of your computer to the S-box. A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, they will instruct you to enter the MAC address. Otherwise, you may leave this field blank. 13. If you are not using automatic configuration of DNS servers, do the following: a. Clear the Obtain DNS servers automatically check box.
b. In the Preferred DNS Server text box, type the Primary DNS server IP address. c. In the Alternate DNS Server text box, type the Secondary DNS server IP address. 14. Click Apply.
43
44
Chapter 3
Getting Started
This chapter contains all the information you need in order to get started using your S-box.
This task can only be performed using SofaWare Safe@Home or SofaWare Safe@Home Pro.
To log on to the SofaWare S-box Portal 1. Do one of the following: ! Browse to http://my.firewall. Or ! To log on through HTTPS, follow the procedure Accessing the SofaWare Safe@ Portal through HTTPS, page 48. The S-box login page appears.
45
46
To log on to the SofaWare S-box Portal 1. Do one of the following: ! Browse to http://my.firewall. Or ! To log on through HTTPS, follow the procedure Accessing the SofaWare Safe@ Portal through HTTPS, page 48. The S-box login page appears.
2. Type in your username and password. 3. Click OK. The Welcome page appears.
47
To access the SofaWare Safe@ Portal from your internal network Browse to https://my.firewall. (Note that the URL starts with https, not http.) The SofaWare Safe@ Portal appears. To access the SofaWare Safe@ Portal through the Internet Browse to https://<firewall_IP_address>:981. (Note that the URL starts with https, not http.) The following things happen in the order below: ! If this is your first attempt to access the SofaWare Safe@ Portal through HTTPS, the certificate in the S-box is not yet known to the browser, so the Security Alert dialog box appears. To avoid seeing this dialog box again, install the certificate of the destination S-box. If you are using Internet Explorer 5, do the following: 1) Click View Certificate. The Certificate dialog box appears, with the General tab displayed. 2) Click Install Certificate. The Certificate Import Wizard opens. 3) Click Next. 4) Click Next. 5) Click Finish. 6) Click Yes. 7) Click OK. The Security Alert dialog box reappears. 8) Click Yes. ! The SofaWare Safe@ Portal appears. 48 SofaWare S-box Getting Started Guide
Navigation Bar
Main Frame
Status Bar
Navigation Bar
The Navigation Bar includes the following main menus: Welcome displays the welcome information Reports provides reporting capabilities in terms of event logging, established connections, and active computers Security provides controls and options for setting the security of any computer in the network Services allows you to control your subscription to SofaWare Managed Services Chapter 3: Getting Started 49
Setup lets you manage and configure your Internet connections Password lets you set your password. This main menu only appears in Safe@Home and Safe@Home Pro. Users lets you manage S-box users. This main menu only appears in SofaWare Safe@Office. VPN lets you manage, configure, and log on to VPN sites. This main menu only appears in SofaWare Safe@Home Pro and SofaWare Safe@Office. Help provides context-sensitive on-line help Logout allows you to log off of the SofaWare Safe@ Portal
Main Frame
The Main Frame displays the relevant data and controls pertaining to the menu and tab you select. These elements sometimes differ depending on whether you are using SofaWare Safe@Home, SofaWare Safe@Home Pro, or SofaWare Safe@Office. The differences are described throughout this guide.
Status Bar
The Status Bar, located at the bottom of each page, displays information regarding the following: Internet your Internet connection status which may be one of the following: ! Connected The S-box is connected to the Internet. ! Not Connected The Internet connection is down. ! Establishing Connection The S-box is connecting to the Internet. ! Contacting Gateway The S-box is trying to contact the Internet default gateway. Service Center your Service Center may offer various subscription services. These include the firewall service, and optional services such as parental control and e-mail virus scanning. The following lists the security services status: ! Not Subscribed You are not subscribed to security services. ! Connection Failed The Internet connection is down. ! Connecting The S-box is connecting to the Service Center.
50
Logging off
! Connected You are connected to the Service Center, and security services are active.
Logging off
Logging off terminates your administration session. Any subsequent attempt to connect to the SofaWare Safe@ Portal will require re-entering of the administration password. To log off of the SofaWare Safe@ Portal If you are connected locally, in the Navigation Bar, click Logout. The Logout screen appears.
51
Logging off
52
Chapter 4
The following information is displayed: ! Connection provides information on the connection status and the connection duration, if it is active ! Activity details the amount of data packets sent and received in the active connection ! Internet provides information on the users IP and MAC addresses as well the connection mode used Chapter 4: Managing Your Network 53
Note If you change the network settings to incorrect values and are unable to correct the error, you can reset the S-box to its default settings. See Resetting the S-box to factory defaults, page 141.
54
3. In the DHCP Server list, select Enabled or Disabled. 4. Click Apply. ! If you chose to disable the DHCP server, the DHCP server is disabled. ! If you chose to enable the DHCP server, it is enabled. 5. If you dont have another DHCP server in your network, and your computers were originally configured differently, do the following: ! Reconfigure all the devices on your network. ! Disable the Obtain IP address automatically (using DHCP) setting in the TCP/IP settings. For information on configuring TCP/IP, see TCP/IP Settings, page 18.
Changing IP Addresses
If desired, you can change your S-boxs internal IP address. Using Safe@Office, you can also change the entire range of IP addresses in your internal network. You may want to perform these tasks if, for example, you are adding the S-box to a large existing network and don't want to change that networks IP address range, or if you are using a DHCP server other than the S-box, that assigns addresses within a different range.
55
Warning If you change the S-box internal IP address, you may have to manually change the network interface TCP/IP setting when using static IP, or renew the DHCP lease when using Dynamic IP. Otherwise, you may not have access to the SofaWare Safe@ Portal or to the Internet.
To change IP addresses 1. In the Navigation Bar, click on Setup. The Internet page appears. 2. In the Setup submenu, click on My Network. The My Network page appears. 3. To change the S-boxs internal IP address, enter the new IP address in the S-box LAN IP field. 4. To change the internal network range, enter new a new value in the LAN Subnet Mask field.
Note The internal network range is defined both by the S-boxs internal IP address and by the subnet mask. For example, if the S-boxs internal IP address is 192.168.100.7, and you set the subnet mask to 255.255.255.0, the networks IP address range will be 192.168.100.1 192.168.100.254.
5. To reset the network to its default settings, click Default. The internal network range is 192.168.10.*, and DHCP and NAT are enabled. 6. Click Apply. A warning message appears. 7. Click OK. The S-box internal IP address and/or the internal network range are changed. 8. Do one of the following: ! If your computer is configured to obtain its IP address automatically (using DHCP), and the S-box DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new range. ! Otherwise, manually reconfigure your computer to use the new address range using the TCP/IP settings. For instructions, see TCP/IP Settings, page 18.
56
Enabling/Disabling NAT
NAT can be disabled only in SofaWare Safe@Office.
Network Address Translation (NAT) enables you to share a single IP address among several computers.
Note If NAT is disabled, you must obtain a range of IP addresses. NAT is enabled by default.
To enable/disable NAT 1. In the Navigation Bar, click on Setup. The Internet page appears. 2. In the Setup submenu, click on My Network. The My Network page appears. 3. From the NAT list, select Enabled or Disabled. 4. Click Apply. ! If you chose to disable NAT, it is disabled. ! If you chose to enable NAT, it is enabled.
57
Configuring HTTPS
Configuring HTTPS
You can enable S-box users to remotely access the SofaWare Safe@ Portal through the Internet. To do so, you must first configure HTTPS. To configure HTTPS 1. In the Navigation Bar, click on Setup. The Internet page appears. 2. In the Setup submenu, click on HTTPS. The HTTPS Configuration page appears.
! !
To allow access to the SofaWare Safe@ Portal from a particular range of IP addresses, select Allow from this IP address range only and enter the desired IP address range in the fields provided. To allow access to the SofaWare Safe@ Portal from any IP address, select Allow from any IP address.
Warning If HTTPS is enabled, your S-box settings can be changed remotely, so make sure all S-box users passwords are unguessable.
58
Static Routes
4. Click Apply. The HTTPS configuration is saved. You can now access the SofaWare Safe@ Portal through the Internet, using the procedure Accessing the SofaWare Safe@ Portal through HTTPS, page 48.
Static Routes
Static Routes are applicable only for SofaWare Safe@Office.
Note - It is generally not necessary to specify static routes. Only define static routes if it is required.
A static route is a setting that explicitly specifies the route for packets destined for a certain subnet. Packets with a destination that does not match any defined static route will be routed to the default gateway. All systems have a default gateway that cannot be deleted. To modify the default gateway, see LAN Connection, page 37. The Static Routes page lists all existing routes, including the default, and indicates whether each route is currently "Up", or reachable, or not.
To add a static route 1. In the Navigation Bar click on Setup. The Setup page appears. 2. In the Setup submenu, click Static Routes. The Static Routes page appears, with a listing of existing static routes.
59
Static Routes
4. Complete the fields using the information in Table 1, page 61. 5. Click Apply. The new static route is saved.
60
Static Routes
Enter the network address of the destination network. Select the subnet mask from the drop-down list.
62.91.32.0
255.255.255.0
Gateway IP
Enter the IP address of the gateway (next hop router) to which to route the packets destined for this network.
212.150.10.1
To edit a static route 1. In the Navigation Bar click on Setup. The Setup page appears. 2. In the Setup submenu, click Static Routes. The Static Routes page appears, with a listing of existing static routes.
61
Static Routes
3. In the desired route row, click Edit. The Edit Route page appears displaying the destination network, subnet mask, and gateway IP of the selected route. 4. To edit the route details, do the following: a. Edit the fields using Table 1, page 61. b. Click Apply. The changes are saved. 5. To return to the Users page without making any changes, click Cancel.
62
Static Routes
To delete a static route 1. In the Navigation Bar, click Setup. The Setup page appears. 2. In the Setup submenu, click Static Routes. The Static Routes page appears, with a listing of existing static routes. 3. In the desired route row, click the Delete A confirmation message appears. 4. Click OK. The route is deleted. icon.
63
Static Routes
64
Chapter 5
Viewing Reports
The SofaWare Safe@ Portal lets you view reports on the following: Network activity Currently active network connections Currently active computers
65
To view the event log In the Navigation Bar click on Reports. The Event Log page appears.
You can do any of the following: ! Click the Refresh button to refresh the display. ! Click the Clear button to clear all events. ! If an event is highlighted in red, indicating a blocked attack on your network, you can display the attackers details, by clicking on the IP address of the attacking machine. The S-box queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down hackers.
66
Viewing Connections
Viewing Connections
This option allows you to view the currently active connections between your network and the external world. The active connections are displayed as a list, specifying source IP address, destination IP address and port, and the protocol used (TCP, UDP, etc.). To view the active connections 1. In the Navigation Bar click on Reports. The Event Log page appears. 2. In the Reports submenu click on Active Connections. The Active Connections page appears.
You can do the following: ! Click the Refresh button to refresh the display. ! To view information on the destination machine, click on its IP address. The S-box queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information.
67
Viewing Computers
Viewing Computers
This option allows you to view the currently active computers on your network. The active computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the active computers 1. In the Navigation Bar click on Reports. The Event Log page appears. 2. In the Reports submenu click on Active Computers. The Active Computers page appears.
If you are exceeding the maximum number of computers allowed by your license, a warning message appears, and the computers over the node limit are marked in red. These computers may not be able to access the Internet through the S-box.
Note To increase the number of computer allowed by your license, you must upgrade your product. For further information, see Upgrading Your Software Product, page 127.
If desired, you can click the Refresh button to refresh the display.
68
Viewing Computers
3. To view node limit information, do the following: a. Click Node Limit. The Node Limit window appears with installed software product and the number of nodes used.
69
Viewing Computers
70
Chapter 6
71
2. Drag the security lever to the desired level. The S-box security level changes accordingly.
Using the SofaWare Safe@ Portal, you can selectively allow incoming network connections into your network. For example, you can set up your own Web server, Mail server or even an FTP server. To allow a service to be run on a host 1. In the Navigation Bar click on Security. The Firewall page appears. 2. Click on the Servers tab. The Virtual Servers page appears, displaying a list of services and a host IP address for each allowed service.
72
When using SofaWare Safe@Office, the page contains a VPN Only column:
3. In the Allow column, select the check box of the desired service or application. If you are using SofaWare Safe@Office, the appropriate check box in the VPN Only column is enabled.
73
Creating Rules
4. To allow only connections made through a VPN, select the VPN Only check box. 5. In the Host IP text box of the selected service or application type the IP address of the computer that will run the service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. 6. Click Apply. A success message appears, and the selected computer is allowed to run the desired service or application. To stop a certain service from running on a specific host 1. In the Navigation Bar click on Security. The Firewall page appears. 2. Click on the Servers tab. The Virtual Servers page appears, displaying a list of services and a host IP address for each allowed service. 3. In the desired service or applications row, click Clear. The Host IP text box of the desired service is cleared. 4. Click Apply. The service or application for the specific host is not allowed.
Creating Rules
The SofaWare S-box checks the protocol used, the ports range and destination IP address when deciding whether to allow or block traffic. User defined rules have priority over the default rules. By default, in the "Medium" security level, the S-box blocks all connection attempts from the Internet (WAN) to the LAN, and allows all outgoing connection attempts from the LAN to the Internet (WAN).
Creating Rules
Internet, for specific port ranges and protocols, you must create a new Block rule. To create a new rule 1. In the Navigation Bar click on Security. The Firewall page appears. 2. Click the Allow tab to create a new Allow rule or click the Block tab to create a new Block rule. Depending on the tab you chose, either the Allow Rules page appears...
75
Creating Rules
Note When using SofaWare Safe@Home or SofaWare Safe@Home Pro, the Allow Rules page does not contain a VPN Only column, and the Block Rules page does not contain an Also VPN column.
3. To specify the port range to which the rule applies, in the Ports column, type the start port number in the left text box, and the end port number in the right text box.
Note If you do not enter a port range, the rule will apply to all ports. If you enter only one port number, the range will be open-ended.
4. From the Protocol drop-down list, select the protocol (TCP, UDP, or ANY) for which you wish to create a rule. 5. In the Internet IP text box, do one of the following: ! If you are creating an Allow rule, type the Internet IP address that should be allowed to access the defined ports of a specific computer inside your network. ! If you are creating a Block rule, type the Internet IP address whose defined ports should not be accessible from a specific computer inside your network.
Note When in No-NAT mode, you can leave the Internet IP field empty. The rule will then apply to the entire Internet. When creating Allow rules in NAT mode, you must provide an IP address. This way the S-box knows to which computer to forward incoming connections. On the other hand, when defining Block rules in NAT mode, you can leave the Internet IP field empty, which will result in S-box blocking outgoing Internet connections of all computers in the local network on the specified ports.
6. In the Home IP text box, do one of the following: ! If you are creating an Allow rule, type the IP address of the computer inside your network, to which the specified Internet IP address should be allowed access. ! If you are creating a Block rule, type the IP address of the computer inside your network, for which access to the specified Internet IP address should be blocked. Alternatively, you can specify your computer, by clicking This Computer. 7. In the Allow Rules page, select the VPN Only check box to allow only connections made through a VPN.
76
Creating Rules
8. In the Block Rules page, select the Also VPN check box if you want the rule to apply not only to the Internet but to the VPN as well. 9. Click Add. The new rule is added to the list of rules. To delete an existing rule 1. In the Navigation Bar click on Security. The Firewall page appears. 2. Click the Allow tab to delete an Allow rule or click the Block tab to delete a Block rule. The Allow/Block Rules page appears. 3. Click the icon of the rule you wish to delete. A confirmation message appears. 4. Click OK. The rule is deleted.
To define a computer as DMZ 1. In the Navigation Bar click on Security. The Firewall page appears. 2. Click the DMZ tab. The DMZ IP Address page appears.
77
Creating Rules
3. In the DMZ IP Address text box, type the IP address of the computer you wish to define as DMZ. Alternatively, you can click This Computer to define your computer as DMZ. 4. Click Apply. The selected computer is now defined as DMZ.
78
Chapter 7
79
The Setup Wizard opens, with the first Subscription Services dialog box displayed.
3. Make sure the I wish to connect to a Service Center check box is selected. 4. Do either of the following: ! To connect to the SofaWare Service Center, select usercenter.sofaware.com. ! To specify a Service Center, do the following: 1) Select Specified. 2) In the Specified text box, enter the desired Service Centers IP address, as given to you by the Service Center. 5. Click Next. The Connecting screen appears. The second Subscription Services dialog box appears.
80
6. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider. 7. Click Next. The Connecting screen appears. The third Subscription Services dialog box appears with a list of services to which you are subscribed.
81
8. Click Next. The final Subscription Services dialog box appears with a success message.
9. Click Finish. The following things happen: ! If a new firmware was installed, the S-box is restarted. ! The services to which you are subscribed are now available on your S-box and listed as such on the Account page. See Viewing Services Information, page 83 for further information.
The Services submenu includes the services to which you are subscribed. SofaWare S-box Getting Started Guide
82
83
Web Filtering
Web Filtering
When enabled, access to Web content is restricted according to the categories specified under Allow Categories. Adult users will be able to view Web pages with no restrictions, only after they have provided the administrator password via the Web Filtering pop-up window.
3. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled for all internal network computers.
84
Web Filtering
or
85
Web Filtering
4. Click Snooze. ! Web Filtering is temporarily disabled for all internal network computers. ! The Snooze button changes to Resume.
86
Virus Scanning
3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. ! The service is re-enabled for all internal network computers. ! The Resume button changes to Snooze. ! If the Web Filtering Off popup window was open, it closes.
Virus Scanning
Enabling this option will result in automatic scanning of your e-mail for the detection and elimination of all known viruses and vandals.
87
Virus Scanning
3. Drag the On/Off lever upwards or downwards. E-mail Anti Virus is enabled/disabled for all internal network computers.
To enable virus scanning for a protocol 1. In the Protocols area, click or next to the desired protocol. 2. Click Apply.
88
Virus Scanning
3. Click Snooze. ! E-mail Anti Virus is temporarily disabled for all internal network computers. ! The Snooze button changes to Resume.
89
Virus Scanning
4. To re-enable the service, click Resume, either in the popup window, or on the E-mail Anti Virus page. ! The service is re-enabled for all internal network computers. ! The Resume button changes to Snooze. ! If the E-mail Anti Virus Off popup window was open, it closes.
90
3. To set the S-box to automatically check for and install new software updates, drag the Automatic/Manual lever upwards. The S-box checks for new updates and installs them according to its schedule.
Note When the Software Updates service is set to Automatic, you can still manually check for updates. See step 5.
91
4. To set the S-box so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The S-box does not check for software updates automatically. 5. To manually check for software updates, click Update Now. The system checks for new updates and installs them.
3. Click Update Now. The system checks for new updates and installs them.
92
Your Service Center web site opens. 3. Follow the on-screen instructions.
93
94
Chapter 8
95
SofaWare Safe@Home Pro and SofaWare Safe@Office provide VPN functionality. SofaWare Safe@Home Pro contains a VPN client. SofaWare Safe@Office can act as a VPN client, a VPN server, or a VPN gateway. If you currently have SofaWare Safe@Home and need VPN functionality, you can upgrade your software to SofaWare Safe@Home Pro, SofaWare Safe@Office, or SofaWare Safe@Office Plus.
To define Site to Site VPN gateways, you must have SofaWare Safe@Office. For further information, see Adding and Editing VPN Sites using SofaWare Safe@Office, page 102. To add or edit VPN sites using SofaWare Safe@Home Pro 1. In the Navigation Bar, click on VPN. The VPN Sites page appears, with a list of VPN sites.
2. Do either of the following: ! To add a VPN site, click New Site. 96 SofaWare S-box Getting Started Guide
! To edit a VPN site, click Edit in the desired VPN sites row. The SofaWare VPN Site Wizard opens, with the Welcome to the VPN Site Wizard screen displayed.
97
4. Enter the IP address of the VPN gateway to which you want to connect, as given to you by the network administrator. 5. Click Next. The Resolving screen appears. The VPN Network Configuration dialog box appears.
6. Do one of the following: ! To obtain the network configuration by downloading it from the VPN site, select Download Configuration. This option will automatically configure your VPN settings, by downloading the network topology definition from the VPN server.
Note Downloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or SofaWare Safe@Office VPN gateway.
! To provide the network configuration manually, select Specify Configuration. 7. Click Next. ! If you chose Specify Configuration, a second VPN Network Configuration dialog box appears.
98
Do the following: 1) In the Destination network column, enter up to three destination network addresses at the VPN site to which you want to connect. 2) In the Subnet mask column, select the subnet masks for the destination network addresses.
Note Obtain the destination networks and subnet masks from the VPN gateways system administrator.
99
8. Click Next. The following things happen in the order below: ! If you chose to Download Configuration, the Connecting screen appears, and then the Contacting VPN Site screen appears.
100
9. Enter a name for the VPN site. You may choose any name. 10. Click Next. The VPN Site Created screen appears.
11. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Chapter 8: Working With VPNs 101
You define each VPN site according to the function you want SofaWare Safe@Office to perform when connecting to it: VPN client Define the VPN site as a Remote Access VPN site using the procedure below. VPN gateway Do the following: ! On the first VPN sites S-box, define the second VPN site as a Site to Site VPN gateway using the procedure below, and enable the VPN server using the procedure Setting Up Your S-box as a VPN Server, page 109. ! On the second VPN sites S-box, define the first VPN site as a Site to Site VPN gateway, and enable the VPN server using the procedure Setting Up Your S-box as a VPN Server, page 109. To add or edit VPN sites using SofaWare Safe@Office 1. In the Navigation Bar, click on VPN. The VPN Server page appears. 2. In the VPN submenu, click VPN Sites. The VPN Sites page appears with a list of VPN sites. 3. Do either of the following: ! To add a VPN site, click New Site. ! To edit a VPN site, click Edit in the desired VPN sites row. The SofaWare VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.
102
4. Do one of the following: ! Select Remote Access VPN to establish remote access from your VPN client to a VPN server or gateway. ! Select Site to Site VPN to create a permanent bi-directional connection to another gateway. 5. Click Next.
103
! To provide the network configuration manually, select Specify Configuration. 9. Click Next. The following things happen in the order below: ! If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Do the following: 1) In the Destination network column, enter up to three destination network addresses at the VPN site to which you want to connect. 2) In the Subnet mask column, select the subnet masks for the destination network addresses.
Note Obtain the destination networks and subnet masks from the VPN gateways system administrator.
104
10. Do one of the following: ! To configure the site for manual login, select Manual Login. ! To enable the S-box to log on to the VPN site automatically, do the following: 1) Select Automatic Login. 2) Enter a user name and password to be used for logging on to the VPN site.
Note While Automatic Login provides all the computers on your internal network with constant access to the VPN site, Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging on to a VPN Site, page 114.
11. Click Next. If you chose to Download Configuration, the Connecting screen appears, and then the Contacting VPN Site screen appears. Click Next. Continue at Completing Site Creation, page 108.
105
6. In the VPN Gateway field, enter the IP address of the VPN gateway to which you want to connect, as given to you by the network administrator. 7. Do one of the following: ! Select Restricted Access to allow the VPN site access to your network, according to the security rules defined on your S-box. ! Select Unrestricted Access to allow the VPN site to access to your network without restriction and bypass NAT. 8. Click Next. The Resolving screen appears. The VPN Network Configuration dialog box appears. 9. Do one of the following: ! To obtain the network configuration by downloading it from the VPN site, select Download Configuration. This option will automatically configure your VPN settings, by downloading the network topology definition from the VPN server.
Note Downloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or SofaWare Safe@Office VPN gateway.
106
! To provide the network configuration manually, select Specify Configuration. 10. Click Next. ! If you chose Download Configuration, the Shared Secret dialog box appears.
Do the following: 1) In the Topology User field, enter the topology users user name. 2) In the Topology Password field, enter the topology users password. 3) Select either Use Shared Secret or Use Certificate. If you select Use Shared Secret, in the Shared Secret field, enter the shared secret to use for secure communications with the VPN site. This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters. If you select Use Certificate, a certificate must have been installed. (Refer to Installing a Certificate, page 111 for more information about certificates and instructions on how to install a certificate.) 4) Click Next. The Connecting screen appears. The Contacting VPN Site screen appears.
107
! If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Do the following: 1) In the Destination network column, enter up to three destination network addresses at the VPN site to which you want to connect. 2) In the Subnet mask column, select the subnet masks for the destination network addresses.
Note Obtain the destination networks and subnet masks from the VPN gateways system administrator.
3) Click Next. The Shared Secret dialog box appears. 4) In the Shared Secret field, enter the shared secret to use for secure communications with the VPN site. This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters. 11. Click Next. Continue at Completing Site Creation, page 108.
108
To set up your S-box as a VPN server 1. In the Navigation Bar, click on VPN. The VPN Server page appears.
2. Drag the Enabled/Disabled lever to Enabled. The VPN server is enabled. The Unrestricted Access/Restricted Access lever is enabled. 3. Do one of the following: ! Drag the Unrestricted Access/Restricted Access lever to Restricted Access to allow the authenticated users access to your network, according to the security rules defined on your S-box. ! Drag the Unrestricted Access/Restricted Access lever to Unrestricted Access to allow authenticated users to access to your network without restriction and bypass NAT. 4. Follow the procedure Setting Up Remote VPN Access for Users, page 126.
Note Disabling the VPN server will cause all existing VPN tunnels to disconnect.
109
To delete a VPN site 1. In the Navigation Bar, click on VPN. ! If the VPN Server page appears, click on VPN Sites in the VPN submenu. ! The VPN Sites page appears, with a list of VPN sites. 2. In the desired VPN sites row, click on the Delete A confirmation message appears. 3. Click OK. The VPN site is deleted. icon.
You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1. In the Navigation Bar, click on VPN. ! If the VPN Server page appears, click on VPN Sites in the VPN submenu. ! The VPN Sites page appears, with a list of VPN sites. 2. To enable a VPN site, do the following:
110
Installing a Certificate
a. Click on the icon in the desired VPN sites row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is enabled. 3. To disable a VPN site, do the following:
Note Disabling a VPN site eliminates the tunnel and erases the network topology.
a. Click on the icon in the desired VPN sites row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is disabled.
Installing a Certificate
SofaWare Safe@Office supports the use of digital certificates.
A digital certificate is a secure means of authenticating the S-box to other VPN gateways. The certificate is issued by the Certificate Authority (CA) to entities such as gateways, users, or computers. The entity then uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself). After two entities exchange and validate each other's certifcates, they can begin encrypting information between themselves using the public keys in the certificates. The S-box supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format. The PKCS#12 file must have a ".p12" file extension
Note To use certificates authentication, each S-box should have a unique certificate. Do not use the same certificate for more than one gateway.
If you do not have a PKCS#12, obtain it from your network security administrator.
111
Installing a Certificate
To install a certificate 1. In the Navigation Bar, click on VPN. The VPN Sites page appears, with a list of VPN sites. 2. Click on Certificate. The VPN Certificate page appears, with instructions on how to install the certificate.
3. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 4. Click Update. You are requested to enter the pass-phrase. This pass-phrase is used only one time, to decrypt the certificate.
112
Installing a Certificate
5. Type in the pass-phrase received from the network security administrator 6. Click OK. The certificate is installed. The name of the CA that issued the certificate and the name of the gateway to which this certificate was issued appear.
Uninstalling a certificate
You cannot uninstall the certificate if there is a VPN site currently defined to use certificate authentication. When a certificate is currently installed, the VPN Certificate page presents two options: Install: Pressing Install will allow you to install a new certificate. The current certificate will be replaced. Uninstall: Pressing Uninstall will uninstall the current certificate only. Therefore, no certificate exists on the S-box, and you will not be able to connect to the VPN if a certificate is still required. To uninstall a certificate 1. In the Navigation Bar, click on VPN. The VPN Sites page appears, with a list of VPN sites. 2. Click Certificate. The VPN Certificate page appears, displaying the name of the currently installed certificate.
113
You need to manually log on to Remote Access VPN sites configured for Manual Login. You do not need to manually log on to a Remote Access VPN site configured for Automatic Login or a Site to Site VPN gateway: all the computers on your network have constant access to it. Manual Login can be done through either the SofaWare Safe@ Portal or the my.vpn page. When you log on, a VPN tunnel is established. Only the computer from which you logged on can use the tunnel. To share the tunnel with other computers in your home network, you must log on to the VPN site from those computers, using the same user name and password.
Note You must use a single user name and password for each VPN destination gateway.
114
Note You can only perform manual login to sites that are configured for Manual Login.
To manually log on to a VPN site through the Safe@ Portal 1. In the Navigation Bar, click on VPN. The VPN Sites or VPN Server page appears. 2. In the VPN submenu, click on VPN Login. The VPN Login page appears.
3. From the Site Name list, select the site to which you want to log on.
Note Disabled VPN sites will not appear in the Site list.
4. Enter your user name and password in the appropriate fields. 5. Click Connect.
115
! If the S-box is configured to automatically download the network configuration, the S-box downloads the network configuration. ! If when adding the VPN site you specified a network configuration, the S-box attempts to create a tunnel to the VPN site. ! The VPN Login Status box appears. The Status field tracks the connections progress.
! Once the S-box has finished connecting, the Status field changes to Connected.
! The VPN Login Status box remains open until you manually log off the VPN site.
116
Note You dont need to know the my.firewall page administrators password in order to use the my.vpn page.
To manually log on to a VPN site through the my.vpn page 1. Direct your web browser to http://my.vpn The VPN Login screen appears.
2. In the Site list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4. Click Connect. ! If the S-box is configured to automatically download the network configuration, the S-box downloads the network configuration. ! If when adding the VPN site you specified a network configuration, the S-box attempts to create a tunnel to the VPN site. ! The VPN Login Status box appears. The Status field tracks the connections progress. ! Once the S-box has finished connecting, the Status field changes to Connected. ! The VPN Login Status box remains open until you manually log off of the VPN site.
117
You need to manually log off a VPN site in the following cases: You are using SofaWare Safe@Home Pro. The VPN site is a Remote Access VPN site configured for Manual Login. To log off a VPN site In the VPN Login Status box, click Close. All open tunnels from the S-box to the VPN site are closed, and the VPN Login Status box closes.
Note Closing the browser or dismissing the VPN Login Status box will also terminate the VPN session within a short time.
VPN tunnels are created and closed as follows: Remote Access VPN sites configured for Automatic Login and Site to Site VPN gateways: A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site. The tunnel is closed when not in use for a period of time.
Note Although the VPN tunnel is automatically closed, the site remains open, and if you attempt to communicate with the site, the tunnel will be reestablished.
118
Remote Access VPN sites configured for Manual Login: A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site, after you have manually logged on to the site. All open tunnels connecting to the site are closed when you manually log off. To view VPN tunnels 1. In the Navigation Bar, click on Reports. The Event Log page appears. 2. In the Reports submenu, click on VPN Tunnels. The VPN Tunnels page appears with a table of open tunnels to VPN sites.
119
The VPN sites name The user logged on to the VPN site The type of encryption used to secure the connection, followed by the type of Message Authentication Code (MAC) used to verify the integrity of the message. This information is presented in the following format: Encryption type/Authentication type Note: All VPN settings are automatically negotiated between the two sites. The encryption and authentication schemes used for the connection are the strongest of those used at the two sites. Your S-box supports AES 3DES and DES encryption schemes, and MD5 and SHA authentication schemes.
Established Time
The time at which the tunnel was established. This information is presented in the following format: Hour:Minute:Second
VPN Gateway
120
Chapter 9
Managing Users
In SofaWare Safe@Home and SofaWare Safe@Home Pro, there is a single user called "admin". You can change this users password using the procedure Changing Your Password , page 121. In SofaWare Safe@Office you can define multiple users and perform the following tasks: Changing Your Password , page 121 Adding Users, page 124 Viewing and Editing Users, page 124 Deleting Users, page 126 Setting Up Remote VPN Access for Users, page 126
This task can only be performed using SofaWare Safe@Home or SofaWare Safe@Home Pro.
To change your password 1. In the Navigation Bar click on Password. The Password page appears.
To change your password using SofaWare Safe@Office 1. In the Navigation Bar click on Users. The Users page appears.
122
2. In the row of your username, click Edit. The Edit User page appears.
Adding Users
Adding Users
This task can only be performed using SofaWare Safe@Office.
The number of S-box users you can add is limited according to your software. For further information, see SofaWare S-box Software, page 7. To add a user 1. In the Navigation Bar click on Users. The Users page appears. 2. Click New User. The Edit User page appears. The options that appear on the page are dependant on the software and services you are using. 3. Complete the fields using the information in Table 1, page 125. 4. Click Apply. The new user is saved. The Edit User page appears.
To view or edit users 1. In the Navigation Bar click on Users. The Users page appears. 2. In the desired users row, click Edit. The Edit User page appears with the users details. The options that appear on the page are dependant on the software and services you are using. 3. To edit the users details, do the following: a. Edit the fields using Table 1, page 125. b. Click Apply. The changes are saved.
124
4. To return to the Users page without making any changes, click Cancel.
Username
Enter a username for the user. You cannot change the admin users username.
Password
Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password.
Re-enter the users password. Select this option to allow the user to log on to my.firewall. This option cannot be disabled for the admin user.
Select this option to allow the user to connect to this S-box using their VPN client. For further information on setting up VPN remote access, see Setting Up Remote VPN Access for Users, page 126. This option only appears in SofaWare Safe@Office.
Select this option to allow the user to override Web Filtering. This option only appears if the Web Filtering service is defined.
Deleting Users
Deleting Users
This task can only be performed using SofaWare Safe@Office.
To delete a user 1. In the Navigation Bar click on Users. The Users page appears. 2. In the desired users row, click the Delete A confirmation message appears. 3. Click OK. The user is deleted. icon.
If you are using your S-box as a VPN server, you can allow users to access it remotely through their VPN clients (a Check Point SecureClient, Check Point SecuRemote, SofaWare Safe@Home Pro or SofaWare Safe@Office). To set up remote VPN access for a user 1. Enable your VPN server, using the procedure Setting Up Your S-box as a VPN Server, page 109. 2. Add the user to the system, using the procedure Adding Users, page 124. You must select the VPN Remote Access option.
126
Chapter 10
To upgrade your product, you must install the new Product Key. To install a Product Key 1. In the Navigation Bar click on Setup. The Internet page appears. 2. Click the Firmware tab. The Firmware page appears.
127
3. In the Advanced area, click Upgrade. The SofaWare Setup Wizard opens, with the Install Product Key dialog box displayed.
4. Select Product Key. 5. In the Product Key field, enter the new Product Key. 6. Click Next. The Installed New Product Key dialog box appears.
128
8. Do one of the following: ! To register your S-box later on, do the following: 1) Clear the I want to register my product check box. 2) Click Next.
129
! To register your S-box now, click Next. A second Registration dialog box appears.
3) Enter your contact information in the appropriate fields. 4) To receive email notifications regarding new firmware versions and services, select the check box. 5) Click Next. The Registration screen appears. The third Registration dialog box appears.
9. Click Finish. Your S-box is restarted and the Welcome page appears. 130 SofaWare S-box Getting Started Guide
131
6. Click Next. The first Registration dialog box appears. 7. Verify that the I want to register my product check box is selected. 8. Click Next. A second Registration dialog box appears. 9. Enter your contact information in the appropriate fields. 10. To receive email notifications regarding new firmware versions and services, select the check box. 11. Click Next. The Registration screen appears. The third Registration dialog box appears. 12. Click Finish. Your S-box is restarted and the Welcome page appears.
132
5. Select the image file that you have downloaded from SofaWare web site and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 6. Click Upload. Your S-box firmware is updated this may take one minute. At the end of the process the S-box restarts automatically.
133
134
Troubleshooting
Chapter 11
Troubleshooting
If your S-box is not functioning normally, follow the guidelines in the Frequently Asked Questions, page 135, and perform the following tasks as needed: Viewing Firmware Status, page 140 Resetting the S-box to factory defaults, page 141 Rebooting the SofaWare S-box, page 142 Running Diagnostics, page 143
135
Troubleshooting
I cannot access http://my.firewall or http://my.vpn. What should I do? Verify that the S-box is operating (PWR/SEC LED is active) Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the S-box is connected properly. Try surfing to 192.168.10.1 instead of to my.firewall.
Note 192.168.10 is the default value, and it may vary if you changed it in the My Network page.
Check your TCP/IP configuration according to Chapter 2. Restart your S-box and your broadband modem by disconnecting the power and reconnecting after 5 seconds. If your web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list. Every time I start Internet Explorer, the application searches for an Internet connection. This is unnecessary, since I am connected through the S-box. What should I do? For Internet Explorer, versions 5 and 6, do the following: 1. Open the browser. 2. On the Tools menu, click Internet Options, then click the Connections tab. 3. For each item in the Dial-up Settings list, do the following: a. Select the item. b. Select Never dial a connection. 4. Click Apply. 5. Click OK. 6. Close all active browsers and try again.
136
Troubleshooting
Every time I start Outlook Express, the application searches for an Internet connection. This is unnecessary, since I am connected through the S-box. What should I do? For Outlook Express, versions 5 and 6, do the following: 1. Open Outlook Express. 2. On the Tools menu, click Accounts, then click the Mail tab. 3. For each of the accounts configured in the mail window, do the following: a. Click Properties, then click the Connection tab. b. Clear the Always connect to this account using check box. c. Click OK. 4. Click Close. 5. Close all active browsers and try again. I run a public Web server at home but it cannot be accessed externally, although it is accessible to the computers on my network. What should I do? Surf to the security page and use the Servers submenu to allow access to your server. My network seems extremely slow. What should I do? The Ethernet cables may be faulty. For proper operation, the S-box requires STP CAT5 (Shielded Twisted Pair Category 5) Ethernet cables. Make sure that this specification is printed on your cables. Your Ethernet card may be faulty or misconfigured. Try replacing your Ethernet card. I cannot play a certain network game. What should I do? Turn the S-box security to Low and try again. If the game still does not work, set the computer you wish to play from to be the DMZ server. When you have finished playing the game make sure to clear the DMZ setting otherwise your security might be compromised.
137
Troubleshooting
I have forgotten my password. What should I do? Reset your S-box to factory defaults using the Reset button as detailed in Resetting the S-box to factory defaults, page 141. Note that this will erase all your settings. I purchased SofaWare Safe@Home Pro or SofaWare Safe@Office, but I only seem to have SofaWare Safe@Home functionality. What should I do? Your have not installed your product key. For further information, see Upgrading Your Software Product, page 127. I cannot connect to a VPN site using SofaWare Safe@Home Pro or SofaWare Safe@Office. What should I do? Check whether there is a problem with your VPN client: 1. Do one of the following: ! If you are using SofaWare Safe@Home Pro, add the demo Check Point VPN site, using the procedure Adding and Editing VPN Sites using SofaWare Safe@Home Pro, page 96, as follows: 1) In the VPN Gateway Address dialog box, enter 207.40.230.20 in the VPN Gateway field. 2) In the VPN Network Configuration dialog box, select Download Configuration. ! If you are using SofaWare Safe@Office, add the demo Check Point VPN site, using the procedure Adding and Editing VPN Sites using SofaWare Safe@Home Pro, page 96, as follows: 1) In the Welcome to the VPN Site Wizard dialog box, select Remote Access VPN. 2) In the VPN Gateway Address dialog box, enter 207.40.230.20 in the VPN Gateway field. 3) In the VPN Network Configuration dialog box, select Download Configuration. 2. Log on to the demo site, using vpndemo as your username and password. 3. Surf to http://207.40.230.22 The Check Point VPN-1 SecuRemote Demo Site should open and inform you that you successfully created a VPN tunnel.
138
Troubleshooting
I changed the network settings to incorrect values and am unable to correct my error. What should I do? Reset the network to its default settings using the button on the back of the S-box unit. See Resetting the S-box to factory defaults, page 141. I am using the S-box with another DSL/Cable router, and I am having problems with some applications. The S-box performs Network Address Translation (NAT). It is possible to use the S-box behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your S-box. To fix this problem, do ONE of the following. (The solutions are listed in order of preference.) Consider whether you really need the router. The S-box can be used as a replacement for your router, unless you need it for some additional functionality that it provides, such as Wireless access. If possible, disable NAT in the router. Refer to the routers documentation for instructions on how to do this. The following suggestions will work only if the router is connected to the WAN port of the S-box: If the router has a "DMZ Computer" option, set it to the S-boxs external IP address. Set the router to direct all incoming connections to the S-boxs external IP address. Chapter 11: Troubleshooting 139
Troubleshooting
Keep in mind that if you use the S-box behind another NAT device, you may lose some of the advantages of the S-box, such as broad application support and high performance. For additional information: consult our online Frequently Asked Questions (FAQ) at http://www.sofaware.com/support.
The Firmware page displays a table with the following information: ! Firmware Version the current version of the firmware ! Hardware Type the type of the current S-box hardware ! Hardware Version the current hardware version of the S-box ! Installed Product the licensed software and the number allowed nodes ! Uptime the time that elapsed from the moment the unit was turned on 140 SofaWare S-box Getting Started Guide
Troubleshooting
To reset the S-box to factory defaults via the Web interface 1. In the Navigation Bar click on Setup. The Internet page appears. 2. Click the Firmware tab. The Firmware page appears. 3. Click on Factory Settings. A confirmation message appears.
4. Click OK. The S-box returns to its factory defaults this process might take up 30-60 seconds to finish. At the end of the process the gateway restarts automatically and the Gateway restart confirmation page appears. 5. Click OK. The gateway is restarted and within one minute the S-box Welcome page appears.
141
Troubleshooting
To reset the S-box to factory defaults using the Reset button 1. Make sure the S-box is powered on. 2. Using a sharp object, press the RESET button on the back of the S-box steadily for seven seconds and then release it. 3. Allow the S-box to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).
Warning If you choose to reset the S-box by disconnecting the power cable and then reconnecting it, be sure to leave the S-box disconnected for at least three seconds, or the S-box might not function properly until you reboot it as described below.
142
Troubleshooting
Running Diagnostics
You can view technical information about your S-boxs hardware, firmware, license, network status, and subscription services. This information is useful for troubleshooting. You can copy and paste it into the body an email and send it to technical support. To run diagnostics 1. In the Navigation Bar click on Setup. The Internet page appears. 2. Click the Firmware tab. The Firmware page appears. 3. Click on Diagnostics. Technical information about your S-box appears in a new window. 4. To refresh the contents of the window, click Refresh. The contents are refreshed. 5. To close the window, click Close.
143
Troubleshooting
144
Technical Specifications
Appendix
Specifications
Technical Specifications
Height - 1.2 inches Width - 8.0 inches Length - 4.8 inches Weight - 1.8 lbs Input AC Power - 9VAC Power consumption - 13.5W Power supply 100 VAC, 120 VAC or 230 VAC
FCC
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: 1. This device may not cause harmful interference. 2. This device must accept any interference received, including interference that may cause undesired operation. This Class B Digital apparatus complies with Canadian Standard ICES-003.
CE Declaration of Conformity
SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, declares that the SofaWare S-box is in conformity with the following standards: Safety: EN 60950: 1992 IEC 90950: 1999 CS 22.2 950: 2000 EN 55022: 1998 EN 55024: 1998
EMC:
SofaWare declares that this device is in conformity with the essential requirements specified in ANNEX I of Directive EMC 89/336/EEC and with Article 3.1 (a) and 3.1 (b) of Directive 99/05/EC (Radio Equipment and Telecommunications Terminal Equipment Directive).
Appendix: Specifications
145
Technical Specifications
146
Glossary
Glossary
ADSL Modem (Asymmetric Digital Subscriber Line) A device connecting a computer to the Internet via an existing phone line. ADSL modems offer a high-speed 'always-on' connection. Cable Modem A device connecting a computer to the Internet via the cable television network. Cable modems offer a high-speed 'always-on' connection. Certificate Authority (CA) The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself), and possibly the IP address. After two entities exchange and validate each other's certifcates, they can begin encrypting information between themselves using the public keys in the certificates. DHCP Any machine requires a unique IP address to connect to the Internet using Internet Protocol. Dynamic Host Configuration Protocol (DHCP) is a communications protocol that assigns Internet Protocol (IP) addresses to computers on the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) allows one computer to be exposed to the Internet. An example of using a DMZ would be exposing a public server, while preventing outside users from getting direct access form this server back to the private network.
Glossary 147
Glossary
Domain Name System (DNS) The Domain Name System (DNS) refers to the Internet domain names, or easy-to-remember "handles", that are translated into IP addresses. An example of a Domain Name is 'www.sofaware.com'. Firewall A program or a set of related programs, located on a network gateway server (in SofaWare Safe@Home's case it is the SofaWare S-box) protecting your private network resources from users (and abusers) on the Internet. A firewall inspects each packet to determine whether it complies with the security policy and blocks illegal traffic. SofaWare Safe@Home's inspection module examines every packet passing through the residential gateway, promptly blocking all unwanted communication attempts. Packets do not enter the home network unless they comply with the security policy. Firmware Software embedded in a device. Gateway A gateway is a network point that acts as an entrance to another network. Hacking (or cracking) An activity in which someone breaks into someone else's computer system, bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) A protocol for accessing a secure Web server. It uses SSL as a sublayer under the regular HTTP application. This directs messages to a secure port number rather than the default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information.
148
Glossary
Hub A device with multiple ports, connecting several PCs or network devices on a network. IP Address An IP address is a 32-bit number that identifies each computer sending or receiving data packets across the Internet. When you request an HTML page or send e-mail, the Internet Protocol part of TCP/IP includes your IP address in the message and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e-mail address you're sending a note to. At the other end, the recipient can see the IP address of the Web page requestor or the e-mail sender and can respond by sending another message using the IP address it received. IPSEC IPSEC is the leading Virtual Private Networking (VPN) standard. IPSEC enables individuals or offices to establish secure communication channels ('tunnels') over the Internet. IP Spoofing A technique where an attacker attempts to gain unauthorized access through a false source address to make it appear as though communications have originated in a part of the network with higher access privileges. For example, a packet originating on the Internet may be masquerading as a local packet with the source IP address of an internal host. The firewall can protect against IP spoofing attacks by limiting network access based on the gateway interface from which data is being received. ISP An ISP (Internet service provider) is a company that provides access to the Internet and other related services. LAN A local area network (LAN) is a group of computers and associated devices that share a common communications line and typically share the resources of a single server within a small geographic area.
Glossary 149
Glossary
MAC Address The MAC (Media Access Control) address is a computer's unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Mbps Megabits per second. Measurement unit for the rate of data transmission. MTU The Maximum Transmission Unit (MTU) is a parameter that determines the largest datagram than can be transmitted by an IP interface (without it needing to be broken down into smaller units). The MTU should be larger than the largest datagram you wish to transmit un-fragmented. Note: This only prevents fragmentation locally. Some other link in the path may have a smaller MTU the datagram will be fragmented at that point. Typical values are 1500 bytes for an Ethernet interface or 1452 for a PPP interface. NAT Network Address Translation (NAT) is the translation or mapping of an IP address to a different IP address. NAT can be used to map several internal IP addresses to a single IP address, thereby sharing a single IP address assigned by the ISP among several PCs. Check Point FireWall-1's Stateful Inspection Network Address Translation (NAT) implementation supports hundreds of pre-defined applications, services, and protocols, more than any other firewall vendor. NetBIOS NetBIOS is the networking protocol used by DOS and Windows machines. Packet A packet is the basic unit of data that flows from one source on the Internet to another destination on the Internet. When any file (e-mail message, HTML file, GIF file etc.) is sent from one place to another on the Internet, the file is divided into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the
150
Glossary
Internet. When they have all arrived, they are reassembled into the original file at the receiving end. PPPoE PPPoE (Point-to-Point Protocol over Ethernet) enables connecting multiple computer users on an Ethernet local area network to a remote site or ISP, through common customer premises equipment (e.g. modem). PPTP The Point-to-Point Tunneling Protocol (PPTP) allows extending a local network by establishing private tunnels over the Internet. This protocol it is also used by some DSL providers as an alternative for PPPoE. RJ-45 The RJ-45 is a connector for digital transmission over ordinary phone wire. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks. Server A server is a program (or host) that awaits and requests from client programs across the network. For example, a Web server is the computer program, running on a specific host, that serves requested HTML pages or files. Your browser is the client program, in this case. Stateful Inspection Stateful Inspection was invented by Check Point to provide the highest level of security by examining every layer within a packet, unlike other systems of inspection. Stateful Inspection extracts information required for security decisions from all application layers and retains this information in dynamic state tables for evaluating subsequent connection attempts. In other words, it learns!
Glossary 151
Glossary
Subnet Mask A 32-bit identifier indicating how the network is split into subnets. The subnet mask indicates which part of the IP address is the host ID and which indicates the subnet. TCP TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet. For example, when an HTML file is sent to you from a Web server, the Transmission Control Protocol (TCP) program layer in that server divides the file into one or more packets, numbers the packets, and then forwards them individually to the IP program layer. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file. TCP/IP TCP/IP (Transmission Control Protocol/Internet Protocol) is the underlying communication protocol of the Internet. UDP UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. UDP is often used for applications such as streaming data.
152
Glossary
URL A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type of resource depends on the Internet application protocol. On the Web (which uses the Hypertext Transfer Protocol), an example of a URL is 'http://www.sofaware.com'. VPN A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. VPN tunnel A secure connection between a VPN client and a VPN server.
Glossary 153
Glossary
154
Index
Index
A account, configuring, 93 active computers, viewing, 68 active connections, viewing, 67 Allow rules creating, 75 deleting, 77 explained, 74 Automatic Login, 114 B Block rules creating, 75 deleting, 77 explained, 74 C cable type, 26 D Demilitarized Zone. See DMZ DHCP server enabling/disabling, 54 explained, 54 diagnostics, 143 DMZ defining a computer as, 77 explained, 77 Dynamic Host Configuration Protocol Server. See DHCP server E Email Anti Virus disabling, 87 enabling, 87 selecting protocols for, 88 snoozing, 89 event log, viewing, 65 F firewall levels, 71 setting security level, 71 firmware explained, 140 updating manually, 132 viewing status, 140 H HTTPS, configuring, 58 I installation cable type, 26 Internet connection configuring, 27 establishing quick, 57 terminating, 57 troubleshooting, 135, 136, 137 M Manual Login, 114 N NAT enabling/disabling, 57 explained, 57 network changing internal range of, 55 configuring, 54 enabling DHCP Server on, 54 enabling NAT on, 57 managing, 53 viewing activity, 53 Network Address Translation. See NAT node limit, viewing, 69 P password changing, 121 setting up, 27 product key, 127 installing, 127
Index
155
Index
R Remote Access VPN sites, 96 reports active computers, 68 active connections, 67 event log, 65 node limit, 69 viewing, 65 S Safe@ Portal accessing through the Internet, 58 logging off, 51 logging on, 45, 47 using, 49 Safe@Home, 7, 8 Safe@Home Pro, 7, 8 Safe@Office, 7, 8 Safe@Office Plus, 7, 8 S-box about, 7 changing internal IP address of, 55 configuring Internet connection, 27 features, 10 front panel, 13 installing, 26 rear panel, 12 rebooting, 142 registering, 131 resetting to factory defaults, 141 setting up as a VPN server, 109 software, 7 technical specifications, 145 security configuring virtual servers, 72 creating rules, 74 defining a computer as DMZ, 77 firewall, 71 managed services, 79 156
setting policy, 71 Service Center connecting to, 79 disconnecting from, 83 refreshing a connection to, 93 services, 79 canceling, 83 Email Anti Virus, 87 software updates, 91, 132 status of, 83 subscribing to, 79 viewing information on, 83 Web Filtering, 84 setup advanced, 35 wizard, 29 Site to Site VPN gateways, 102 software updates, 132 checking for manually, 91 explained, 91 software, upgrading, 127 static routes adding, 59 deleting, 63 viewing and editing, 61 T TCP/IP setting up for MAC OS, 24 setting up for Windows 95/98, 15 setting up for Windows XP/2000, 20 troubleshooting rebooting the S-box, 142 resetting the S-box to factory defaults, 141 viewing firmware status, 140 troubleshooting, 135 running diagnostics, 143 typographical conventions, 9
Index
U users deleting, 126 setting up remote VPN access for, 126 viewing and editing, 124 V virtual private network. See VPN virtual servers, configuring, 72 VPN clients, explained, 95 VPN functionality in Safe@Home Pro, 96 in Safe@Office, 96 VPN gateways explained, 95 Site to Site, 102 VPN server, setting up the S-box as, 109 VPN servers, explained, 95 VPN sites
adding and editing in Safe@Home Pro, 96 adding and editing in Safe@Office, 102 deleting, 110 enabling/disabling, 110 logging off, 118 logging on, 114 Remote Access, 96, 102 VPN tunnels creation and closing of, 118 establishing, 114 explained, 95 viewing, 118 VPN, explained, 95 W Web Filtering disabling, 84 enabling, 84 selecting categories for, 85 snoozing, 85
Index
157